UK Steam Update! Age Verification Feature Updated to Comply with the Online Safety Act

Recently, Valve updated its age verification feature for the UK region, effective August 29, 2025, to comply with the UK Online Safety Act (OSA) regulatory requirements. The core requirement of the new policy is clear: all Steam users located in the UK who wish to access store pages for games rated “mature” and their associated community hubs must first complete a one-time age verification process. This is an opt-in process requiring users to actively choose to participate, rather than being enabled by default.

Valve's verification mechanism for UK users is singular and mandatory: adding a valid credit card to their Steam account. Long-time users who already have a credit card linked to their account will face no new restrictions and retain unrestricted access to relevant content.

The specific verification process includes: Users must log in to their Steam account, navigate to the “Account Details” page, and click the “Add Payment Method” button. The system then guides users to enter their credit card details, including card type, card number, CVV security code, expiration date, cardholder name, and billing address. After submitting this information, the system triggers a £0 authorization transaction and initiates a verification challenge based on the issuing bank's policy—such as receiving a one-time password (OTP) via mobile phone or confirming within the bank's mobile app.

Once this process is successfully completed, the user's account is considered “age verified.” The validity of this verification status is directly tied to the credit card's binding status—as long as the credit card remains stored in the account, the verification remains active. This is not a one-time identity confirmation but a continuous status maintenance. If the user removes the credit card, their access to adult content may be revoked.

Valve has provided a clear official explanation for its chosen single verification method, with its core rationale centered on three key aspects: compliance with regulatory guidance, maximizing user privacy protection, and enhancing account security.

First, Valve explicitly states that its decision is based on guidance from Ofcom, the UK's independent regulator for communications. In its guidance on the Online Safety Act, Ofcom identifies credit card verification as an “effective age assurance measure.” This classification stems from UK financial regulations: individuals must be at least 18 years old to legally apply for and obtain a credit card. Consequently, credit card issuers already bear a legal obligation to verify applicants' ages before issuing cards. By leveraging this existing, heavily regulated verification outcome, Steam can indirectly confirm user ages, thereby meeting regulatory requirements.

Second, Valve prioritizes user privacy protection at a strategic level. Valve emphasizes that credit card verification “maximizes user privacy” compared to other potential age verification methods (such as facial scans or uploading government-issued IDs). The key lies in the fact that the data processed during the entire verification process is identical to the data processed when millions of users make routine purchases on Steam or conveniently store payment information. This means the verification process itself does not disclose any new information about users' content preferences to payment providers or any other third parties.

Finally, Valve believes that storing credit cards as a persistent payment method within accounts also serves as an “additional deterrent” against multiple users sharing the same Steam account to circumvent age verification. This design increases the complexity and risk of account sharing, thereby reinforcing the effectiveness of age restrictions to some extent.

Valve's chosen strategy profoundly reflects its core considerations when addressing regulatory pressures. Faced with potential fines of up to 10% of global revenue under the Online Safety Act and the data breach risks other platforms encounter by adopting third-party biometric or ID verification services, Valve clearly prioritizes avoiding data security risks and preserving user trust.

Reviewing its historical actions in other regulated markets (such as Germany), Valve tends to directly block content rather than handle sensitive national identity information. Thus, the credit card verification solution represents a “path of least resistance” for data security. It not only leverages existing, secure, and compliant internal systems but also ‘outsources’ primary age verification responsibility to financial institutions, thereby minimizing Valve's own legal and data processing liabilities. This is a deliberate strategic choice designed to avoid creating databases of sensitive user information—what security experts term data “honey pots.”